Terraform Workflow At Scale

173 views Asked by At

I am having a unique opportunity to suggest a workflow for IaC for a part of a big company which has number of technical agencies working for it.

I am trying to work out a solution that would be enterprise-level safe but have as much self-service as possible.

In scope:

  • Code management [repository per project/environment/agency/company]
  • Environment handling [build promotion/statefile per env, one statefile, terraform envs etc]
  • Governance model [Terraform Enterprise/PR system/custom model]
  • Testing and acceptance [manual acceptance/automated tests(how to test tf files?)/infra test environment]

I have read many articles, but most of them describe a situation of a development team in-house, which is much easier in terms of security and governance.

I would love to learn how what is the optimal solution for IaC management and govenance in enterprise. Is Terraform Enterprise a valid option?

1

There are 1 answers

0
combinatorist On

I recommend using Terraform modules as Enterprise "libraries" for (infrastructure) code.

Then you can:

  • version, test, and accept your libraries at the Enterprise level
  • control what variables developers or clients can set (e.g. provide a module for AWS S3 buckets with configurable bucket name, but restricted ACL options)
  • provide abstractions over complex, repeated configurations to save time, prevent errors and encourage self-service (e.g. linking AWS API Gateway with AWS Lambda and Dynamodb)

For governance, it helps to have controlled cloud provider accounts or environments where every resource is deployed from scratch via Terraform (in addition to sandboxes where users can experiment manually).

For example, you could:

So, there are lots of ways to use Terraform modules to empower your clients / developers without giving up Enterprise controls.